{{- define "controller_resources" }}
cpu: 10m
memory: 50Mi
{{- end }}

{{- if include "machine_controller_manager_enabled" . }}
  {{- if hasKey $.Values.nodeManager.internal "cloudProvider" }}
    {{- if (.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }}
---
apiVersion: autoscaling.k8s.io/v1
kind: VerticalPodAutoscaler
metadata:
  name: machine-controller-manager
  namespace: d8-cloud-instance-manager
  {{- include "helm_lib_module_labels" (list . (dict "app" "machine-controller-manager" "workload-resource-policy.deckhouse.io" "master")) | nindent 2 }}
spec:
  targetRef:
    apiVersion: "apps/v1"
    kind: Deployment
    name: machine-controller-manager
  updatePolicy:
    updateMode: "Auto"
  resourcePolicy:
    containerPolicies:
    - containerName: "controller"
      minAllowed:
        {{- include "controller_resources" . | nindent 8 }}
      maxAllowed:
        cpu: 20m
        memory: 70Mi
    {{- include "helm_lib_vpa_kube_rbac_proxy_resources" . | nindent 4 }}
    {{- end }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: machine-controller-manager
  namespace: d8-cloud-instance-manager
  {{- include "helm_lib_module_labels" (list . (dict "app" "machine-controller-manager")) | nindent 2 }}
spec:
  {{- include "helm_lib_deployment_on_master_strategy_and_replicas_for_ha" . | nindent 2 }}
  revisionHistoryLimit: 2
  selector:
    matchLabels:
      app: machine-controller-manager
  template:
    metadata:
      labels:
        app: machine-controller-manager
    spec:
      {{- include "helm_lib_priority_class" (tuple . "system-cluster-critical") | nindent 6 }}
      {{- include "helm_lib_pod_anti_affinity_for_ha" (list . (dict "app" "machine-controller-manager")) | nindent 6 }}
      {{- include "helm_lib_node_selector" (tuple . "master") | nindent 6 }}
      {{- include "helm_lib_tolerations" (tuple . "any-node" "with-uninitialized") | nindent 6 }}
      {{- include "helm_lib_module_pod_security_context_run_as_user_deckhouse" . | nindent 6 }}
      serviceAccountName: machine-controller-manager
      hostNetwork: true
      dnsPolicy: Default
      imagePullSecrets:
      - name: deckhouse-registry
      containers:
        - image: {{ include "helm_lib_module_image" (list . "machineControllerManager") }}
          name: controller
          {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 10 }}
          command:
          - /machine-controller-manager
          args:
          - --namespace=d8-cloud-instance-manager
          - --cloud-provider={{ .Values.nodeManager.internal.cloudProvider.type | quote }}
          - --machine-max-evict-retries=30
{{- if eq .Values.nodeManager.internal.cloudProvider.type "yandex" }}
          - --machine-safety-orphan-vms-period=30s
{{- else }}
          - --machine-safety-orphan-vms-period=5m
{{- end }}
          - --failed-machine-deletion-ratio=0.2
          - --bootstrap-token-auth-extra-groups=system:bootstrappers:d8-node-manager
          - --address=127.0.0.1
          - --port=10258
          - --machine-drain-delay=1m
          - -v=2
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: 8443
              scheme: HTTPS
            initialDelaySeconds: 30
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 5
          resources:
            requests:
              {{- include "helm_lib_module_ephemeral_storage_only_logs" . | nindent 14 }}
    {{- if not ( .Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }}
              {{- include "controller_resources" . | nindent 14 }}
    {{- end }}
          env:
          - name: LEADER_ELECTION_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          {{- include "helm_lib_envs_for_proxy" . | nindent 10 }}
        - name: kube-rbac-proxy
          {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 10 }}
          image: {{ include "helm_lib_module_common_image" (list . "kubeRbacProxy") }}
          args:
          - "--secure-listen-address=$(KUBE_RBAC_PROXY_LISTEN_ADDRESS):8443"
          - "--v=2"
          - "--logtostderr=true"
          - "--stale-cache-interval=1h30m"
          - "--livez-path=/livez"
          env:
          - name: KUBE_RBAC_PROXY_LISTEN_ADDRESS
            valueFrom:
              fieldRef:
                fieldPath: status.podIP
          - name: KUBE_RBAC_PROXY_CONFIG
            value: |
              excludePaths:
              - /healthz
              upstreams:
              - upstream: http://127.0.0.1:10258/
                path: /
                authorization:
                  resourceAttributes:
                    namespace: d8-cloud-instance-manager
                    apiGroup: apps
                    apiVersion: v1
                    resource: deployments
                    subresource: prometheus-metrics
                    name: machine-controller-manager
          ports:
          - containerPort: 8443
            name: https-metrics
          livenessProbe:
            httpGet:
              path: /livez
              port: 8443
              scheme: HTTPS
          readinessProbe:
            httpGet:
              path: /livez
              port: 8443
              scheme: HTTPS
          resources:
            requests:
              {{- include "helm_lib_module_ephemeral_storage_only_logs" . | nindent 14 }}
    {{- if not ( .Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }}
              {{- include "helm_lib_container_kube_rbac_proxy_resources" . | nindent 14 }}
    {{- end }}
  {{- end }}
{{- end }}
